/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.] */

#include <openssl/x509.h>

#include <string.h>

#include <openssl/asn1.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/x509v3.h>

#include "../internal.h"
#include "../x509v3/internal.h"
#include "internal.h"

// Although this file is in crypto/x509 for layering purposes, it emits
// errors from the ASN.1 module for OpenSSL compatibility.

#define ASN1_GEN_FLAG 0x10000
#define ASN1_GEN_FLAG_IMP (ASN1_GEN_FLAG | 1)
#define ASN1_GEN_FLAG_EXP (ASN1_GEN_FLAG | 2)
#define ASN1_GEN_FLAG_TAG (ASN1_GEN_FLAG | 3)
#define ASN1_GEN_FLAG_BITWRAP (ASN1_GEN_FLAG | 4)
#define ASN1_GEN_FLAG_OCTWRAP (ASN1_GEN_FLAG | 5)
#define ASN1_GEN_FLAG_SEQWRAP (ASN1_GEN_FLAG | 6)
#define ASN1_GEN_FLAG_SETWRAP (ASN1_GEN_FLAG | 7)
#define ASN1_GEN_FLAG_FORMAT (ASN1_GEN_FLAG | 8)

#define ASN1_GEN_STR(str, val) \
  { str, sizeof(str) - 1, val }

#define ASN1_FLAG_EXP_MAX 20
// Maximum number of nested sequences
#define ASN1_GEN_SEQ_MAX_DEPTH 50

// Input formats

// ASCII: default
#define ASN1_GEN_FORMAT_ASCII 1
// UTF8
#define ASN1_GEN_FORMAT_UTF8 2
// Hex
#define ASN1_GEN_FORMAT_HEX 3
// List of bits
#define ASN1_GEN_FORMAT_BITLIST 4

struct tag_name_st {
  const char *strnam;
  int len;
  int tag;
};

typedef struct {
  int exp_tag;
  int exp_class;
  int exp_constructed;
  int exp_pad;
  long exp_len;
} tag_exp_type;

typedef struct {
  int imp_tag;
  int imp_class;
  int utype;
  int format;
  const char *str;
  tag_exp_type exp_list[ASN1_FLAG_EXP_MAX];
  int exp_count;
} tag_exp_arg;

static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
                              int *perr);
static int bitstr_cb(const char *elem, int len, void *bitstr);
static int asn1_cb(const char *elem, int len, void *bitstr);
static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class,
                      int exp_constructed, int exp_pad, int imp_ok);
static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass);
static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
                             int depth, int *perr);
static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype);
static int asn1_str2tag(const char *tagstr, int len);

ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf) {
  int err = 0;
  ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err);
  if (err) {
    OPENSSL_PUT_ERROR(ASN1, err);
  }
  return ret;
}

static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
                              int *perr) {
  ASN1_TYPE *ret;
  tag_exp_arg asn1_tags;
  tag_exp_type *etmp;

  int i, len;

  unsigned char *orig_der = NULL, *new_der = NULL;
  const unsigned char *cpy_start;
  unsigned char *p;
  const unsigned char *cp;
  int cpy_len;
  long hdr_len = 0;
  int hdr_constructed = 0, hdr_tag, hdr_class;
  int r;

  asn1_tags.imp_tag = -1;
  asn1_tags.imp_class = -1;
  asn1_tags.format = ASN1_GEN_FORMAT_ASCII;
  asn1_tags.exp_count = 0;
  if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) {
    *perr = ASN1_R_UNKNOWN_TAG;
    return NULL;
  }

  if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) {
    if (!cnf) {
      *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG;
      return NULL;
    }
    if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) {
      *perr = ASN1_R_ILLEGAL_NESTED_TAGGING;
      return NULL;
    }
    ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr);
  } else {
    ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype);
  }

  if (!ret) {
    return NULL;
  }

  // If no tagging return base type
  if ((asn1_tags.imp_tag == -1) && (asn1_tags.exp_count == 0)) {
    return ret;
  }

  // Generate the encoding
  cpy_len = i2d_ASN1_TYPE(ret, &orig_der);
  ASN1_TYPE_free(ret);
  ret = NULL;
  // Set point to start copying for modified encoding
  cpy_start = orig_der;

  // Do we need IMPLICIT tagging?
  if (asn1_tags.imp_tag != -1) {
    // If IMPLICIT we will replace the underlying tag
    // Skip existing tag+len
    r = ASN1_get_object(&cpy_start, &hdr_len, &hdr_tag, &hdr_class, cpy_len);
    if (r & 0x80) {
      goto err;
    }
    // Update copy length
    cpy_len -= cpy_start - orig_der;
    // For IMPLICIT tagging the length should match the original length
    // and constructed flag should be consistent.
    hdr_constructed = r & V_ASN1_CONSTRUCTED;
    // Work out new length with IMPLICIT tag: ignore constructed because
    // it will mess up if indefinite length
    len = ASN1_object_size(0, hdr_len, asn1_tags.imp_tag);
  } else {
    len = cpy_len;
  }

  // Work out length in any EXPLICIT, starting from end

  for (i = 0, etmp = asn1_tags.exp_list + asn1_tags.exp_count - 1;
       i < asn1_tags.exp_count; i++, etmp--) {
    // Content length: number of content octets + any padding
    len += etmp->exp_pad;
    etmp->exp_len = len;
    // Total object length: length including new header
    len = ASN1_object_size(0, len, etmp->exp_tag);
  }

  // Allocate buffer for new encoding

  new_der = OPENSSL_malloc(len);
  if (!new_der) {
    goto err;
  }

  // Generate tagged encoding

  p = new_der;

  // Output explicit tags first

  for (i = 0, etmp = asn1_tags.exp_list; i < asn1_tags.exp_count; i++, etmp++) {
    ASN1_put_object(&p, etmp->exp_constructed, etmp->exp_len, etmp->exp_tag,
                    etmp->exp_class);
    if (etmp->exp_pad) {
      *p++ = 0;
    }
  }

  // If IMPLICIT, output tag

  if (asn1_tags.imp_tag != -1) {
    if (asn1_tags.imp_class == V_ASN1_UNIVERSAL &&
        (asn1_tags.imp_tag == V_ASN1_SEQUENCE ||
         asn1_tags.imp_tag == V_ASN1_SET)) {
      hdr_constructed = V_ASN1_CONSTRUCTED;
    }
    ASN1_put_object(&p, hdr_constructed, hdr_len, asn1_tags.imp_tag,
                    asn1_tags.imp_class);
  }

  // Copy across original encoding
  OPENSSL_memcpy(p, cpy_start, cpy_len);

  cp = new_der;

  // Obtain new ASN1_TYPE structure
  ret = d2i_ASN1_TYPE(NULL, &cp, len);

err:
  OPENSSL_free(orig_der);
  OPENSSL_free(new_der);
  return ret;
}

static int asn1_cb(const char *elem, int len, void *bitstr) {
  tag_exp_arg *arg = bitstr;
  int i;
  int utype;
  int vlen = 0;
  const char *p, *vstart = NULL;

  int tmp_tag, tmp_class;

  if (elem == NULL) {
    return -1;
  }

  for (i = 0, p = elem; i < len; p++, i++) {
    // Look for the ':' in name value pairs
    if (*p == ':') {
      vstart = p + 1;
      vlen = len - (vstart - elem);
      len = p - elem;
      break;
    }
  }

  utype = asn1_str2tag(elem, len);

  if (utype == -1) {
    OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_TAG);
    ERR_add_error_data(2, "tag=", elem);
    return -1;
  }

  // If this is not a modifier mark end of string and exit
  if (!(utype & ASN1_GEN_FLAG)) {
    arg->utype = utype;
    arg->str = vstart;
    // If no value and not end of string, error
    if (!vstart && elem[len]) {
      OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE);
      return -1;
    }
    return 0;
  }

  switch (utype) {
    case ASN1_GEN_FLAG_IMP:
      // Check for illegal multiple IMPLICIT tagging
      if (arg->imp_tag != -1) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NESTED_TAGGING);
        return -1;
      }
      if (!parse_tagging(vstart, vlen, &arg->imp_tag, &arg->imp_class)) {
        return -1;
      }
      break;

    case ASN1_GEN_FLAG_EXP:

      if (!parse_tagging(vstart, vlen, &tmp_tag, &tmp_class)) {
        return -1;
      }
      if (!append_exp(arg, tmp_tag, tmp_class, 1, 0, 0)) {
        return -1;
      }
      break;

    case ASN1_GEN_FLAG_SEQWRAP:
      if (!append_exp(arg, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, 1, 0, 1)) {
        return -1;
      }
      break;

    case ASN1_GEN_FLAG_SETWRAP:
      if (!append_exp(arg, V_ASN1_SET, V_ASN1_UNIVERSAL, 1, 0, 1)) {
        return -1;
      }
      break;

    case ASN1_GEN_FLAG_BITWRAP:
      if (!append_exp(arg, V_ASN1_BIT_STRING, V_ASN1_UNIVERSAL, 0, 1, 1)) {
        return -1;
      }
      break;

    case ASN1_GEN_FLAG_OCTWRAP:
      if (!append_exp(arg, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL, 0, 0, 1)) {
        return -1;
      }
      break;

    case ASN1_GEN_FLAG_FORMAT:
      if (!vstart) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_FORMAT);
        return -1;
      }
      if (!strncmp(vstart, "ASCII", 5)) {
        arg->format = ASN1_GEN_FORMAT_ASCII;
      } else if (!strncmp(vstart, "UTF8", 4)) {
        arg->format = ASN1_GEN_FORMAT_UTF8;
      } else if (!strncmp(vstart, "HEX", 3)) {
        arg->format = ASN1_GEN_FORMAT_HEX;
      } else if (!strncmp(vstart, "BITLIST", 7)) {
        arg->format = ASN1_GEN_FORMAT_BITLIST;
      } else {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_FORMAT);
        return -1;
      }
      break;
  }

  return 1;
}

static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass) {
  char erch[2];
  long tag_num;
  char *eptr;
  if (!vstart) {
    return 0;
  }
  tag_num = strtoul(vstart, &eptr, 10);
  // Check we haven't gone past max length: should be impossible
  if (eptr && *eptr && (eptr > vstart + vlen)) {
    return 0;
  }
  if (tag_num < 0) {
    OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_NUMBER);
    return 0;
  }
  *ptag = tag_num;
  // If we have non numeric characters, parse them
  if (eptr) {
    vlen -= eptr - vstart;
  } else {
    vlen = 0;
  }
  if (vlen) {
    switch (*eptr) {
      case 'U':
        *pclass = V_ASN1_UNIVERSAL;
        break;

      case 'A':
        *pclass = V_ASN1_APPLICATION;
        break;

      case 'P':
        *pclass = V_ASN1_PRIVATE;
        break;

      case 'C':
        *pclass = V_ASN1_CONTEXT_SPECIFIC;
        break;

      default:
        erch[0] = *eptr;
        erch[1] = 0;
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_MODIFIER);
        ERR_add_error_data(2, "Char=", erch);
        return 0;
        break;
    }
  } else {
    *pclass = V_ASN1_CONTEXT_SPECIFIC;
  }

  return 1;
}

// Handle multiple types: SET and SEQUENCE

static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
                             int depth, int *perr) {
  ASN1_TYPE *ret = NULL;
  STACK_OF(ASN1_TYPE) *sk = NULL;
  STACK_OF(CONF_VALUE) *sect = NULL;
  unsigned char *der = NULL;
  int derlen;
  size_t i;
  sk = sk_ASN1_TYPE_new_null();
  if (!sk) {
    goto bad;
  }
  if (section) {
    if (!cnf) {
      goto bad;
    }
    sect = X509V3_get_section(cnf, (char *)section);
    if (!sect) {
      goto bad;
    }
    for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
      ASN1_TYPE *typ = generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf,
                                   depth + 1, perr);
      if (!typ) {
        goto bad;
      }
      if (!sk_ASN1_TYPE_push(sk, typ)) {
        goto bad;
      }
    }
  }

  // Now we has a STACK of the components, convert to the correct form

  if (utype == V_ASN1_SET) {
    derlen = i2d_ASN1_SET_ANY(sk, &der);
  } else {
    derlen = i2d_ASN1_SEQUENCE_ANY(sk, &der);
  }

  if (derlen < 0) {
    goto bad;
  }

  if (!(ret = ASN1_TYPE_new())) {
    goto bad;
  }

  if (!(ret->value.asn1_string = ASN1_STRING_type_new(utype))) {
    goto bad;
  }

  ret->type = utype;

  ret->value.asn1_string->data = der;
  ret->value.asn1_string->length = derlen;

  der = NULL;

bad:
  OPENSSL_free(der);
  sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
  X509V3_section_free(cnf, sect);
  return ret;
}

static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class,
                      int exp_constructed, int exp_pad, int imp_ok) {
  tag_exp_type *exp_tmp;
  // Can only have IMPLICIT if permitted
  if ((arg->imp_tag != -1) && !imp_ok) {
    OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_IMPLICIT_TAG);
    return 0;
  }

  if (arg->exp_count == ASN1_FLAG_EXP_MAX) {
    OPENSSL_PUT_ERROR(ASN1, ASN1_R_DEPTH_EXCEEDED);
    return 0;
  }

  exp_tmp = &arg->exp_list[arg->exp_count++];

  // If IMPLICIT set tag to implicit value then reset implicit tag since it
  // has been used.
  if (arg->imp_tag != -1) {
    exp_tmp->exp_tag = arg->imp_tag;
    exp_tmp->exp_class = arg->imp_class;
    arg->imp_tag = -1;
    arg->imp_class = -1;
  } else {
    exp_tmp->exp_tag = exp_tag;
    exp_tmp->exp_class = exp_class;
  }
  exp_tmp->exp_constructed = exp_constructed;
  exp_tmp->exp_pad = exp_pad;

  return 1;
}

static int asn1_str2tag(const char *tagstr, int len) {
  unsigned int i;
  static const struct tag_name_st *tntmp,
      tnst[] = {
          ASN1_GEN_STR("BOOL", V_ASN1_BOOLEAN),
          ASN1_GEN_STR("BOOLEAN", V_ASN1_BOOLEAN),
          ASN1_GEN_STR("NULL", V_ASN1_NULL),
          ASN1_GEN_STR("INT", V_ASN1_INTEGER),
          ASN1_GEN_STR("INTEGER", V_ASN1_INTEGER),
          ASN1_GEN_STR("ENUM", V_ASN1_ENUMERATED),
          ASN1_GEN_STR("ENUMERATED", V_ASN1_ENUMERATED),
          ASN1_GEN_STR("OID", V_ASN1_OBJECT),
          ASN1_GEN_STR("OBJECT", V_ASN1_OBJECT),
          ASN1_GEN_STR("UTCTIME", V_ASN1_UTCTIME),
          ASN1_GEN_STR("UTC", V_ASN1_UTCTIME),
          ASN1_GEN_STR("GENERALIZEDTIME", V_ASN1_GENERALIZEDTIME),
          ASN1_GEN_STR("GENTIME", V_ASN1_GENERALIZEDTIME),
          ASN1_GEN_STR("OCT", V_ASN1_OCTET_STRING),
          ASN1_GEN_STR("OCTETSTRING", V_ASN1_OCTET_STRING),
          ASN1_GEN_STR("BITSTR", V_ASN1_BIT_STRING),
          ASN1_GEN_STR("BITSTRING", V_ASN1_BIT_STRING),
          ASN1_GEN_STR("UNIVERSALSTRING", V_ASN1_UNIVERSALSTRING),
          ASN1_GEN_STR("UNIV", V_ASN1_UNIVERSALSTRING),
          ASN1_GEN_STR("IA5", V_ASN1_IA5STRING),
          ASN1_GEN_STR("IA5STRING", V_ASN1_IA5STRING),
          ASN1_GEN_STR("UTF8", V_ASN1_UTF8STRING),
          ASN1_GEN_STR("UTF8String", V_ASN1_UTF8STRING),
          ASN1_GEN_STR("BMP", V_ASN1_BMPSTRING),
          ASN1_GEN_STR("BMPSTRING", V_ASN1_BMPSTRING),
          ASN1_GEN_STR("VISIBLESTRING", V_ASN1_VISIBLESTRING),
          ASN1_GEN_STR("VISIBLE", V_ASN1_VISIBLESTRING),
          ASN1_GEN_STR("PRINTABLESTRING", V_ASN1_PRINTABLESTRING),
          ASN1_GEN_STR("PRINTABLE", V_ASN1_PRINTABLESTRING),
          ASN1_GEN_STR("T61", V_ASN1_T61STRING),
          ASN1_GEN_STR("T61STRING", V_ASN1_T61STRING),
          ASN1_GEN_STR("TELETEXSTRING", V_ASN1_T61STRING),
          ASN1_GEN_STR("GeneralString", V_ASN1_GENERALSTRING),
          ASN1_GEN_STR("GENSTR", V_ASN1_GENERALSTRING),
          ASN1_GEN_STR("NUMERIC", V_ASN1_NUMERICSTRING),
          ASN1_GEN_STR("NUMERICSTRING", V_ASN1_NUMERICSTRING),

          // Special cases
          ASN1_GEN_STR("SEQUENCE", V_ASN1_SEQUENCE),
          ASN1_GEN_STR("SEQ", V_ASN1_SEQUENCE),
          ASN1_GEN_STR("SET", V_ASN1_SET),
          // type modifiers
          // Explicit tag
          ASN1_GEN_STR("EXP", ASN1_GEN_FLAG_EXP),
          ASN1_GEN_STR("EXPLICIT", ASN1_GEN_FLAG_EXP),
          // Implicit tag
          ASN1_GEN_STR("IMP", ASN1_GEN_FLAG_IMP),
          ASN1_GEN_STR("IMPLICIT", ASN1_GEN_FLAG_IMP),
          // OCTET STRING wrapper
          ASN1_GEN_STR("OCTWRAP", ASN1_GEN_FLAG_OCTWRAP),
          // SEQUENCE wrapper
          ASN1_GEN_STR("SEQWRAP", ASN1_GEN_FLAG_SEQWRAP),
          // SET wrapper
          ASN1_GEN_STR("SETWRAP", ASN1_GEN_FLAG_SETWRAP),
          // BIT STRING wrapper
          ASN1_GEN_STR("BITWRAP", ASN1_GEN_FLAG_BITWRAP),
          ASN1_GEN_STR("FORM", ASN1_GEN_FLAG_FORMAT),
          ASN1_GEN_STR("FORMAT", ASN1_GEN_FLAG_FORMAT),
      };

  if (len == -1) {
    len = strlen(tagstr);
  }

  tntmp = tnst;
  for (i = 0; i < sizeof(tnst) / sizeof(struct tag_name_st); i++, tntmp++) {
    if ((len == tntmp->len) && !strncmp(tntmp->strnam, tagstr, len)) {
      return tntmp->tag;
    }
  }

  return -1;
}

static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype) {
  ASN1_TYPE *atmp = NULL;

  CONF_VALUE vtmp;

  unsigned char *rdata;
  long rdlen;

  int no_unused = 1;

  if (!(atmp = ASN1_TYPE_new())) {
    OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

  if (!str) {
    str = "";
  }

  switch (utype) {
    case V_ASN1_NULL:
      if (str && *str) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL_VALUE);
        goto bad_form;
      }
      break;

    case V_ASN1_BOOLEAN:
      if (format != ASN1_GEN_FORMAT_ASCII) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ASCII_FORMAT);
        goto bad_form;
      }
      vtmp.name = NULL;
      vtmp.section = NULL;
      vtmp.value = (char *)str;
      if (!X509V3_get_value_bool(&vtmp, &atmp->value.boolean)) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_BOOLEAN);
        goto bad_str;
      }
      break;

    case V_ASN1_INTEGER:
    case V_ASN1_ENUMERATED:
      if (format != ASN1_GEN_FORMAT_ASCII) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_NOT_ASCII_FORMAT);
        goto bad_form;
      }
      if (!(atmp->value.integer = s2i_ASN1_INTEGER(NULL, (char *)str))) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_INTEGER);
        goto bad_str;
      }
      break;

    case V_ASN1_OBJECT:
      if (format != ASN1_GEN_FORMAT_ASCII) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_OBJECT_NOT_ASCII_FORMAT);
        goto bad_form;
      }
      if (!(atmp->value.object = OBJ_txt2obj(str, 0))) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT);
        goto bad_str;
      }
      break;

    case V_ASN1_UTCTIME:
    case V_ASN1_GENERALIZEDTIME:
      if (format != ASN1_GEN_FORMAT_ASCII) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_TIME_NOT_ASCII_FORMAT);
        goto bad_form;
      }
      if (!(atmp->value.asn1_string = ASN1_STRING_new())) {
        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
        goto bad_str;
      }
      if (!ASN1_STRING_set(atmp->value.asn1_string, str, -1)) {
        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
        goto bad_str;
      }
      atmp->value.asn1_string->type = utype;
      if (!ASN1_TIME_check(atmp->value.asn1_string)) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TIME_VALUE);
        goto bad_str;
      }

      break;

    case V_ASN1_BMPSTRING:
    case V_ASN1_PRINTABLESTRING:
    case V_ASN1_IA5STRING:
    case V_ASN1_T61STRING:
    case V_ASN1_UTF8STRING:
    case V_ASN1_VISIBLESTRING:
    case V_ASN1_UNIVERSALSTRING:
    case V_ASN1_GENERALSTRING:
    case V_ASN1_NUMERICSTRING:

      if (format == ASN1_GEN_FORMAT_ASCII) {
        format = MBSTRING_ASC;
      } else if (format == ASN1_GEN_FORMAT_UTF8) {
        format = MBSTRING_UTF8;
      } else {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_FORMAT);
        goto bad_form;
      }

      if (ASN1_mbstring_copy(&atmp->value.asn1_string, (unsigned char *)str, -1,
                             format, ASN1_tag2bit(utype)) <= 0) {
        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
        goto bad_str;
      }

      break;

    case V_ASN1_BIT_STRING:

    case V_ASN1_OCTET_STRING:

      if (!(atmp->value.asn1_string = ASN1_STRING_new())) {
        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
        goto bad_form;
      }

      if (format == ASN1_GEN_FORMAT_HEX) {
        if (!(rdata = x509v3_hex_to_bytes((char *)str, &rdlen))) {
          OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_HEX);
          goto bad_str;
        }

        atmp->value.asn1_string->data = rdata;
        atmp->value.asn1_string->length = rdlen;
        atmp->value.asn1_string->type = utype;

      } else if (format == ASN1_GEN_FORMAT_ASCII) {
        ASN1_STRING_set(atmp->value.asn1_string, str, -1);
      } else if ((format == ASN1_GEN_FORMAT_BITLIST) &&
                 (utype == V_ASN1_BIT_STRING)) {
        if (!CONF_parse_list(str, ',', 1, bitstr_cb, atmp->value.bit_string)) {
          OPENSSL_PUT_ERROR(ASN1, ASN1_R_LIST_ERROR);
          goto bad_str;
        }
        no_unused = 0;

      } else {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_BITSTRING_FORMAT);
        goto bad_form;
      }

      if ((utype == V_ASN1_BIT_STRING) && no_unused) {
        atmp->value.asn1_string->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
        atmp->value.asn1_string->flags |= ASN1_STRING_FLAG_BITS_LEFT;
      }

      break;

    default:
      OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNSUPPORTED_TYPE);
      goto bad_str;
      break;
  }

  atmp->type = utype;
  return atmp;

bad_str:
  ERR_add_error_data(2, "string=", str);
bad_form:

  ASN1_TYPE_free(atmp);
  return NULL;
}

static int bitstr_cb(const char *elem, int len, void *bitstr) {
  long bitnum;
  char *eptr;
  if (!elem) {
    return 0;
  }
  bitnum = strtoul(elem, &eptr, 10);
  if (eptr && *eptr && (eptr != elem + len)) {
    return 0;
  }
  if (bitnum < 0) {
    OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_NUMBER);
    return 0;
  }
  if (!ASN1_BIT_STRING_set_bit(bitstr, bitnum, 1)) {
    OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  return 1;
}
